[29766] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (Booker Bense)
Fri Apr 25 13:17:50 2008
From: bbense@slac.stanford.edu (Booker Bense)
Date: Fri, 25 Apr 2008 16:59:27 +0000 (UTC)
Message-ID: <fut2lf$53l$2@news.Stanford.EDU>
X-Complaints-To: news@news.stanford.edu
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In article <fured4$vvq$3@relay.tomsk.ru>,
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote:
>Booker Bense wrote:
>> >
>> >Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> >
>
>> It's whatever both sides of the connection argee that it should
>> be BEFORE the connection is made. DNS names are used by default
>> since that makes an easy out of band way to get both sides to agree.
>
>> You can use IP addrs if you can wrangle both client and server
>> software into using them. I'm not aware of any standard clients
>> that will support that kind of usage though.
>
>If we take for example an sshd server on a typical Unix host, how does
>it figure out its own principal name? Suppose it has keys for
>multiple principals in the keytab, which one would it choose?
>
Whatever it's configured to choose. The default is
host/dns.expansion.for.ip.of.host@REALM
This can get quite complicated if you have multiple interfaces
with different DNS names. Both the server and the client have
to make a priori decisions about the principal the service uses.
Choosing that principal is entirely up to the software.
_ Booker C. Bense
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
